[pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges

Alexandre DERUMIER aderumier at odiso.com
Fri May 9 15:55:26 CEST 2014


I was thinking about something like



-A FORWARD -i fwbr+ -j PVEFW-FORWARD
-A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-FORWARD
-A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-FORWARD


-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -o vnet0 -j PVEFW-FWBR-IN
      -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
      -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
      -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
      -A PVEFW-FWBR-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT 

-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -i vnet0 -j PVEFW-FWBR-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0  -j veth0.0-OUT
      -A PVEFW-FWBR-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT

 
what do you think about it ?



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 9 Mai 2014 13:29:12 
Objet: RE: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges 

> >>This does not work, because it accepts traffic from venet0! 
> 
> Ok, I'll check that. 

But seems to work perfectly without that. Maybe we should add another chains for venet related 
traffic: 

PVEFW-VENET-IN 
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs 
-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags 
-A PVEFW-VENET-IN -i venet0 -s 192.168.3.104 -j venet0-104-OUT 

PVEFW-VENET-OUT 
... 

what do you think? 



More information about the pve-devel mailing list